Republished: Phorming Relationships

Originally published on 06 Jun 2008

Most people have heard of 121Media, although they may not be able to place where they heard the name. Well 121Media are back as Phorm, and so far they've created quite a stir. They are pushing a new style of Targeted Advertising whereby they place some hardware between your computer and the Internet and analyse the pages you access in order to serve you with 'more relevant' advertising. Unlike many other online advertisers, Phorm will not just base adverts on partner pages that you have previously accessed, but will actively analyze the contents of almost every page you view.


The system is designed to be 'opt-out', this means that you will be subscribed to it by default, and have to actively ask to be removed from the 'service.' This Opt-Out will be recorded by means of a cookie, which means you will need to 'Opt-Out' every single PC and Web-browser you intend to use. Should you clear your cookies, then you will be, in effect, opted back in. Regardless of whether you are opted in or out your web traffic will still pass through Phorm's hardware, users who are opted out will have their traffic disregarded, or so Phorm claim.

Using cookies, Phorm claim to have anonymised the data that they collect. A randomly generated User I.D. will be allocated to your browser, and various things will be disregarded from their analysis. This, allegedly, includes credit card numbers, Web based email services, and various online forms. However due to the way the system is designed, Phorm could change this at any time, without even your Internet Service Provider (ISP) knowing.

In January 2008 'The Register'[1]  published a story revealing the intention of three big ISP's to install Phorm's hardware into their systems. Because of the related press releases, The Register was able to find a solution to an issue raised in a previous story. Some BT customers had previously noticed that their computers appeared to be accessing a specific web address regularly and without prompting. Despite taking steps to eliminate malware (Spyware, Viruses, Adware etc.) the problem continued. BT's customer support claimed that it must be malware on the users system. The press release led to these customers realising that, along with tens of thousand of other customers, they had been included in a trial of Phorm's systems. A trial that they had neither been made aware of, or given BT permission to run on their lines.

This abusal of trust is partially responsible for the resulting outcry against Phorm's technology. It was also revealed that the Chief Executive Officer of Phorm has direct links to malware. Whilst he puts a slight spin on the issue, the CEO does admit that 121Media were developing Adware. He denies that Adware fits into the malware category, but most people will agree that as unwanted software it indisputably is malware.

Shortly after the announcement that BT, Virgin Media and Carphone Warehouse were planning on selling their customers browsing habits to Phorm several website sprang up in protest. One of the most notable is BadPhorm[2], along with this selection of sites, a petition was quickly launched on the Prime Ministers Website to prevent Phorm's systems being accepted in their current state.

Phorm and its partners released a number of statements trying to calm the storm, BT's releases were notable for focusing largely on the 'Anti-Phishing' features of their 'WebWise Service.' Far from reducing the criticism aimed at them, BT's stance instead raised the question of why the ISP was focusing so much on the Anti-Phishing features of a service that they claimed was highly desirable. Many felt that, were users better informed about the true nature of WebWise, they would reject it. This certainly seems to have been supported by BT's many press releases focusing largely on the Anti-Phishing benefits. As many pointed out, the service brings nothing new in the realms of Anti-Phishing. Indeed browsers such as Mozilla Firefox have included built in Anti-Phishing lists for quite some time.

On the 28th of March 2008 the issue of Phorm was raised[3] by Don Fosters, Shadow Secretary of State for culture, media and sport. He wrote to BT's Chairman, Sir Michael Rake[4] and asked him to explain BT's secret trials. At the same time William Hague raised concerns about Phorm's services as a result of concerns raised by his constituents[5].

As could be expected, by this point articles about Phorm were appearing all over the Internet, including Wikipedia. However on the 8th of April 2008 The Register revealed [6] that Phorm had edited the wikipedia article devoted to it. During this editing they had deleted some key details, in an apparent attempt to improve their brand image. Phorm claimed that they were unaware of Wikipedia's policy on conflicts of interest.
Phorm then admitted to The Register that they were 'a little over zealous' in their efforts to correct some factual inaccuracies and so 'erroneously removed some relevant items in the editing process.' This they stated, would not happen again. For many however, this was just another reason not to trust Phorm with their browsing habits, or any of the personal information that could potentially be accessed during the analyzing process.

The issue of trust lies at the heart of the issue, were Phorm a more trustworthy company, many would be happier to believe that the Opt-out would be honoured. Although the issue of how the Opt-out operates would certainly remain.

Such a number of people complained to the Information Commissioners Office[7] with concerns about BT's secret trials, and the future ramifications of Phorm's system that on the 18th of April 2008 they released a statement[8]. However, to the ire of many, the statement did not condemn Phorm in the way that was expected. Many had expected that they ICO would raise concerns over 'Interception' as defined under the Regulation of Investigatory Powers Act 2000 (RIPA), however the statement skirted the issue by stating that the ICO was not responsible for enforcing RIPA, and has no expertise in whether an interception subject to RIPA has taken place. They explained that the Home Office had provided Phorm with written guidance explaining that it was questionable whether the use of Phorm's technology actually involved and interception within the meanings of RIPA, and even if it did there would be an argument that the interception was not unlawful.

The ICO's concluded that Phorm can operate Webwise and OIX in a way which is compliant with both the Data Protection Act (DPA) and the European Privacy and Electronic Communications Regulations (PECR) but must be sensitive to the concerns of users. The ICO stated that they would continue to keep the Phorm products under review as they mature, and that the commissioners view would be strongly influenced by the experience of those users who choose to participate in any trials, and the way in which they are able to make that decision.

Given that legal support appeared not to be forthcoming, despite complaints to the ICO and requests for the prosecution of those responsible for BT's secret trials in 2006 and 2007, users began to explore other means of preventing Phorm from abusing their trust. The most obvious way to do this was to undermine their business model, and on the 15th of May 2008 'AntiPhormLite' was released[9]. AntiPhormlite is a piece of software designed to run on MS Windows, it functions by 'poisoning' the clickstream that Phorm relies on to make money. Available free of charge, it works by generating Web Traffic to various addresses, utilising 'natural time delays' and traffic throttling. These feature not only reduce the amount of bandwidth used, but also make it harder for Phorm to discern between the generated traffic and your traffic. One downside of undermining Phorm in this way, however, is that you need to be subscribed to their service, and so are potentially allowing them to view the pages you access.

At the end of May 2008 the ICO announced that it would not be pursuing BT for breaches of the PECR. As a result of this on the 10th of June 2008 the European Commission announced[10] that it is considering intervening over the failure of UK watchdogs to punish BT for the way it secretly co-opted customers into trials of Phorm's system. The European Commission stated that the PECR obliges member states to "ensure the confidentiality of communication and related traffic data through regulation. In particular they are required to prohibit listening, tapping, storage or other kinds of interception or surveillance of communications and the related traffic data by persons other than the users without their consent, which must be freely given, specific and informed indication of the users wishes."

To date no further action has taken place, although the European Commission has stated that it is in contact with UK Watchdogs to ensure compliance, and that if necessary they will levy a fine on the UK to encourage compliance.

Anti-Phorm protesters are planning to picket BT's Shareholders Annual General Meeting at the Barbican, London on the 16th July 2008. This they hope will raise awareness with both the public and the shareholders themselves, and hopefully will prevent Phorm's system from being adopted.

The ISP's have always had the ability to view the content of most pages that you visit, and to capture data that you send to a website. However whilst the ISP is perfectly capable of phoning your wife and telling her what jewellery you have been buying, or publishing your details online along with details of which types of pornography 'float your boat', when you become one of their customers you trust that they will not do this. It is this relationship of trust that is being eroded by the business relationship between the ISP and Phorm.

Anything that infringes on a users privacy is likely to meet a poor reception. Despite claims of the gathered information being 'sanitised' and anonymised, many users still remember the same claims being made by AOL when they published details of searches made by some of their users[11].  AOL published 3 months worth of search terms entered into their search engine for thousands of users, in order to anonymise the data AOL replaced user names with random user I.D's. Within hours of AOL releasing the data, the first user had been identified.

The same issue exists for the ISP's, experience shows us that the information can never be anonymised enough. Additionally the more anonymised the data becomes, the less use it is for targeted advertising. For many users this serves to heighten the feelings of discomfort, not only can the information not be fully anonymised, but it is being passed to a company with proven links to malware.

The three participating ISP's may occupy a large portion of the market, but their customers are already beginning to walk away in disgust, and they may still face legal challenges once the system is implemented, bit by bit the existing relationship between ISP and customer is disintegrating and a new type of relationship is being Phormed.